Add attribute to Active Directory

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Does anyone know how to add an attribute top an active directory account in
Windows 2000, but make it so other users can not view the attribute?

For example, create a social security number attribute and hide it from
most groups.
 
Hi,

Yep it's possible to create an attribute and hide it from the specified
groups. I did some research and found the following studies.

This high level of control allows an administrator to grant individual
users and groups varying levels of permissions for objects and their
properties. Administrators can even add attributes to objects and hide
those attributes from certain groups of users. For example, the
administrator could set the ACLs such that only managers can view the home
phone numbers of other users. Nonmanagers would not even know that the
attribute existed.

A concept new to Windows 2000 Server is delegated administration. This
allows administrators to assign administrative tasks to other users, while
not granting those users more power than necessary. Delegated
administration can be assigned over specific objects or contiguous subtrees
of a directory

Access controls can hide mandatory attributes too.

Also go thru the article for more information at
http://www.awprofessional.com/articles/article.asp?p=26136&seqNum=4

I hope the above posting would be helpfull for you.

Thanks,
(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Wosully,

If you are talking about adding new attributes that aren't in the directory
you would be extending the schema. I would point out that this, while not
hard to do, should never be done lightly and without forethought.

To be able to do this, you will have to add yourself to the schema
administrators group -- no, neither Domain Admins or Enterprise Admins are
in this by default.

Secondly, I would caution against just adding attributes to the User class.
Instead create a new class (like employee) that inherits from the User base
class and add your attributes to that.
 
Thank you both very much for your help.

I think we will have to extend the schema and I will create a new class,
because I have heard that is the safest thing to do. Any additional tips
would be greatly appreciated. I still will hide the attribute users: it will
be a social security number.
 
Back
Top